Integration overview
Integrating Oracle Database 19c Transparent Data Encryption (TDE) with the requires the PKCS #11 (FXPKCS11) library. After you configure TDE, you can store the Master Encryption Key (MEK) used for TDE on a FIPS 140-2 Level 3-validated HSM (such as the ), adding a layer of protection for data at rest.
The MEK encrypts the Oracle Table Keys, which encrypt or decrypt columns or tablespaces locally in the database. Each table has its own table key. From the client application perspective, the encryption and decryption process is transparent, so you don't need to modify the existing application. We recommend that the connection between the PKCS #11 library and the be a mutually authenticated TLS connection, but we also support server-side authentication.
The instructions for configuring the PKCS #11 library with Oracle Database running in a Docker container cover mutual authentication using only TLS certificates.
This guide provides the required information to configure PKCS #11 with Oracle Database 19c so that you can generate the TDE Master Encryption Key and store it on the for encrypting the Oracle Table Keys.